Hi Yaroslav, Somehow your last email slipped into my archive mail folder unnoticed and remained there for a week, unread (blame my fetchmail setup and the new job I've started last Monday). So here's the new dsc link: http://johnhommer.com//academic/code/aghermann/source/deb/aghermann_0.7.0.1-1.dsc.
Wrt -fPIE -pie flags, after a weekend of seeking the truth I give up. The problem is that, with -pie, linking libsigfile.la fails miserably: libtool: link: g++ -fPIC -DPIC -shared -nostdlib /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/4.7/crtbeginS.o .libs/channel.o .libs/source-base.o .libs/source.o .libs/edf.o .libs/page.o .libs/page-metrics-base.o .libs/psd.o .libs/mc.o -lfftw3 -L/usr/lib/gcc/x86_64-linux-gnu/4.7 -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../.. -lstdc++ -lm -lc -lgcc_s -lgcc /usr/lib/gcc/x86_64-linux-gnu/4.7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/crtn.o -fopenmp -O2 -Wl,-z -Wl,relro -fopenmp -Wl,-soname -Wl,libsigfile.so -o .libs/libsigfile.so /usr/lib/x86_64-linux-gnu/libc_nonshared.a(elf-init.oS): In function `__libc_csu_init': (.text+0x1d): undefined reference to `__init_array_end' /usr/bin/ld.bfd.real: /usr/lib/x86_64-linux-gnu/libc_nonshared.a(elf-init.oS): relocation R_X86_64_PC32 against undefined hidden symbol `__init_array_end' can not be used when making a shared object /usr/bin/ld.bfd.real: final link failed: Bad value collect2: error: ld returned 1 exit status (Odd thing here is that there appears libc_nonshared.a whereas linking is done with -shared.) I've googled the matter extensively, and none of the supposed solutions were helping (see, for example, http://gcc.gnu.org/ml/gcc-help/2005-07/msg00168.html and this thread: http://www.mail-archive.com/[email protected]/msg00318.html). There are some "insightful" comments I left in src/libsigfile/Makefile.am. Eventually, I "fixed" the problem by omitting -pie from the hardening flags (I note that -fPIE remains, as well as -D_FORTIFY_SOURCE=2 and all others). This, again, proves to be enough to make lintian happy. I would like, for now, to get it released with this interim "solution". Otherwise it's going to be mired in, oh so very interesting but largely gratuitous, exercise in Makefile.am-fu. As usual :}, builds verified with nd_build: aghermann_0.7.0.1-1~nd70+2_i386.build OK 6:15.07 real, 173.55 user, 15.88 sys, 0 out aghermann_0.7.0.1-1~nd70+2_amd64.build OK 6:23.82 real, 174.63 user, 19.36 sys, 0 out aghermann_0.7.0.1-1~nd+2_i386.build OK 6:45.78 real, 197.76 user, 16.56 sys, 0 out aghermann_0.7.0.1-1~nd+2_amd64.build OK 6:44.47 real, 194.86 user, 20.68 sys, 0 out It also builds on ubuntu precise. (Honestly, nd_build was a great idea.) Cheers, Andrei On Mon, 2 Jul 2012 10:06:44 -0400 Yaroslav Halchenko <[email protected]> wrote: > Hi Andrei, > > Since wheezy is frozen now, all fresh uploads with substantial changes > (e.g. new upstream release) should target 'experimental' instead of > 'unstable' in debian/changelog. I will upload backports to NeuroDebian > anyways ;-) > > now hardening, which I am not much of an expert unfortunately: > > > > Recently lintian has grown clever enough to require -D_FORTIFY_SOURCE > > ;-) mention that those are just warnings, so theoretically could be > ignored (unless it is a daemon app etc), but it is indeed great to have > them addressed > > > and other nifty things as described here: > > http://wiki.debian.org/Hardening. I now duly added the recommended flags > > to CXXFLAGS, which is not representing an issue to write about per se > > except for the fact that I had to omit -fPIE and -pie. With these latter > > two, my private libsigfile.so fails to build. > > interesting... as far as I see it *pie* hardening is even more > optional and surprised that the dyn library doesn't build for you with > fPIC? > > > However, adding the following to my debian/rules happens to be enough to > > silence lintian: > > ;-) per se you don't need to "silence" it (yet) for these > > > export DEB_BUILD_HARDENING=1 > > > CXXFLAGS=$(shell dpkg-buildflags --get CFLAGS) > > LDFLAGS=$(shell dpkg-buildflags --get LDFLAGS) > > # CXXFLAGS+=$(HARDENING_CFLAGS) > > # LDFLAGS+=$(HARDENING_LDFLAGS) > > ## hardening-wrapper doesn't seem to be available > > ## on all target arches yet, so try adding these flags manually > > export CXXFLAGS += -Wformat -Wformat-security -Werror=format-security > > -D_FORTIFY_SOURCE=2 -fstack-protector --param ssp-buffer-size=4 export > > LDFLAGS += -z relro -z now > > well -- if you just care to "silence lintian", i.e. to introduce > hardening only where supported, you could do smth like what I have done > for freeipmi: > > override_dh_auto_configure: > dh_auto_configure -- $(shell dpkg-buildflags --export=configure | grep > CFLAGS ) > > so, where dpkg-buildflags provides those hardening flags -- they would > be used. and would build just fine otherwise > > > Here's the link to .DSC file: > > http://johnhommer.com/academic/code/aghermann/source/deb/aghermann_0.7.0-1.dsc. > > Hope all will build well. > > does it for you? ;-) so tune up release to experimental and may be give it a > 2nd thought on how to treat hardening args and reupload .dsc > > Cheers! -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/20120709012409.087cfcfa@ra
